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(54) Cryptographic authorization with prioritized and weighted authentication 

(57) A system and associated method for authoriz- 
ing, or withholding authorization of, user access to a 
selected computer application or other resource, based 
on the user's response to one or more user authentica- 
tion tests. If the user is presented with two or more 
authentication tests, each with an associated test 
weight, the system optionally sums the weights of the 
tests satisfied by the user; and if this sum is greater than 
a selected test score threshold, the user is granted 
access to the resource. Alternatively, the user is granted 
access to selected subsets of the application, including 
an empty or non-empty default subset, depending upon 
the sum of the weights of the tests satisfied by the user. 
An authentication test or its associated weight may 
change at a selected time, and the selected time may 
be determined with reference to a time at which the 
resource changes. A smartcard may be used to 
respond to one or more authentication tests. 
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Description 

Field of the Invention 

[0001] This invention relates to use of more than 
one authentication mechanism in secure communica- 
tions. 



ti6n test Preferably, the system should allow identifica- 
tion of, and take account of, which authentication test or 
tests the user has failed to pass. Preferably, the system 
should be flexible enough to allow assignment of differ- 
ent priorities and/or strengths to tests within an inte- 
grated authentication package, based on the application 
and the current circumstances. 



Background of the Invention 

[0002] During the last decade of the Twentieth Cen- 
tury, the Internet has become a vital communication 
medium for a variety of application domains, including 
simple e-mail, home banking, electronic trading of 
stocks, net-based telephonic communications and 
many other electronic commerce applications. Authenti- 
cation of a user is becoming a key requirement in allow- 
ing or authorizing a legitimate user to execute the user's 
privileges in a particular network or sub-network. 
[0003] Presently, many user authentication mecha- 
nisms are available, including simple user name/pass- 
word, one-time password (e.g., S/Key), RSA-based 
digital signature authentication, Kerberos, challenge- 
and-response, and Secure Socket Layer SSL v3.0 with 
user/client authentication. Bruce Schneier, in Applied 
Cryptography. John Wiley & Sons, Inc., New York, Sec- 
ond Edition, 1996, pp. 34-74 and 566-572, discusses 
and characterizes several user and/or key authentica- 
tion tests that are often based on, or associated with, an 
underlying encryption procedure. 
[0004] One interesting authentication scheme is the 
Sun Pluggable Authentication Mechanism (PAM), dis- 
cussed in more detail in the following, which facilitates 
integration of several authentication packages or tests 
without requiring change of the underlying application 
(e.g., login). Although a system such as PAM provides a 
framework for integration, such a system often deals 
with the plurality of authentication mechanisms as if all 
have the same cryptographic or authentication strength 
or priority. For example, one enterprise might require 
both Kerberos (relatively strong) and user password 
(relatively weak) to be used for user authentication. Use 
of several authentication modules can be accommo- 
dated within PAM, through the use of stacking. If the 
user fails to pass one of the authentication tests, among 
many that are applied in stacking, authentication is 
denied, without indicating which of the many tests the 
user has failed to pass. PAM treats all authentication 
tests in an integrated package as equally strong and 
equally suitable. 

[0005] What is needed is a system that integrates 
one or more authentication tests but allows assignment 
of a priority or strength to each of such tests and allows 
authentication to be treated as a necessary, but not a 
sufficient, condition for user authorization. Preferably, 
where authentication tests are integrated, these tests 
should be executed based on an indicium that is a 
measure of priority and/or strength for each authentica- 



Summary of the Invention 

10 

[0006] These needs are met by the invention, which 
provides a system that integrates one or more authenti- 
cation tests and allows assignment of arbitrary (and 
changeable) relative priority and/or relative strength to 

is each of these tests. In one embodiment, the system 
allows an integrated electronic authentication system to 
accept physical objects, such as drivers licenses, birth 
certificates, passports, social security cards and the like 
for partial or full authentication of a user, although each 

20 of these documents is used for a different primary pur- 
pose, and the purposes seldom overlap. 
[0007] In a first embodiment, the system applies 
one or more authentication tests with increasing numer- 
ical priority or strength and requires the user to pass all 

25 or a majority of these tests up to at least a selected pri- 
ority or strength, before access to the application is 
granted. The system requires the user to obtain a 
weighted average of the authentication test priorities or 
strengths at least equal to one or more selected thresh- 

30 old values before access to the application, or a subset 
of the application, is granted. In another embodiment, 
the system applies one or more authentication tests 
with possibly differing priority or strength, applies the 
user's test results to produce a weighted avenge of the 

35 authentication test priorities or strengths, and grants 
access to a subset of the application, depending upon 
how the user's weighted average compares with one or 
more of a sequence of threshold values. 
[0008] The invention has the following advantages: 

40 (1) the invention strengthens an association or linkage 
between authentication and the authorization process; 
(2) the invention allows identification of which authenti- 
cation test(s) is being used; (3) the invention extends an 
integration procedure, such as RAM, without distorting 

45 the procedure; (4) the invention enhances total security 
of the authorization process; (5) the invention preserves 
and deals with authentication mechanisms based on 
their relative merits and can allocate relative priority 
based on relative cryptographic strength; and (6) the 

so invention allows an entity to classify those with whom it 
deals (customers, suppliers, etc.) for authorization pur- 
poses. 

Brief Description of the Drawings 

55 

[0009] 

Figure 1 illustrates the architecture of a resource 
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access system that requires user authentication. 
Figures 2A-2B and 3A-3B-3C are flow charts of 
procedures for practicing single-threshold and mul- 
tiple-threshold embodiments of the invention, 
respectively. 

Figures 4A-4B are a flow chart for practicing a "top 
down" embodiment of the invention. 

Detailed Description of the Invention 

[0010] In the invention, user authentication is 
treated as a necessary, but not sufficient, condition for 
user authorization in this system. Authorization level 
varies from user to user, based on the user's role, group 
membership, privileges, past behavior and the like, If 
the user satisfies or passes all authentication tests, the 
user is allowed access to a maximal set, consistent with 
the user's status, of domains or privileges. If the user 
passes some, but not all, of the authentication tests, the 
user is allowed access to a selected subset of the max- 
imal domain, where the selected subset may be a 
proper subset or may be the maximal set and will vary 
according to the tests passed, or not passed. 
[0011] Strength of an authentication test can be 
objectively evaluated. For example, SSL v3.0 with 
authentication is believed by many to be a stronger 
authentication test than is Kerberos, discussed in Sch- 
neier, op cit, pp. 566-572; and Kerberos is considered to 
be a stronger test than a simple user/password test. If 
these three authentication test are integrated, an 
assessment of authentication relative strength for use in 
the invention might run as follows. 



Authentication test 


Relative strength 


SSL v3.0 


1 


Kerberos 


2 


User/password 


3 



A weight Wj (0 < Wj < 1) may be assigned to each 
authentication test, with a higher weight being assigned 
to a test with higher relative strength. In one embodi- 
ment, relative priority of an authentication test is 
equated with the relative strength of a test. In another 
embodiment, relative priority is assigned to each of sev- 
eral tests, independently of their relative strengths, 
based on the circumstances in which the tests will be 
used in an integrated approach. 

[0012] The Pluggable Authentication Mechanism 
(PAM) is discussed in detail by Vipin Samar and Charles 
Lai in 'Making Login Services Independent of Authenti- 
cation Technologies", presented at the Third ACM Con- 
ference on Computer and Communications Security, 
March 1996, is useful as a guide in implementing the 
invention. The Samar et al. article notes that most UNIX 
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systems presently use a login procedure based on a 
modified Data Encryption Standard (DES) algorithm, 
which assumes that the password cannot be guessed 
and that the password does not pass over the commu- 

5 nications channel in cleartext. These assumptions are 
acceptable when communications occur only within a 
trusted network. However, an open network, such as an 
internet, requires use of more restrictive and stronger 
authentication mechanisms. Examples of these 

jo stronger mechanisms include Kerberos, RSA digital sig- 
nature, Diffie-Hellman, S/Key and other one-time pass- 
words, and challenge-and-response and smart card 
authentication systems. 

[0013] One goal of a PAM system is to require a 

15 possibly-different methods of authentication, depending 
upon the application. For example, a site may require 
S/Key password authorization for telnetd access but 
allow console login access after presentation of a UNIX 
password. Another goal of a PAM system is a require- 

20 ment that a user pass more than one authentication 
test, such as Kerberos and RSA digital signature tests, 
to obtain access to a particular resource or application. 
Another goal is that system-access services should not 
have to change when an underlying authentication 

25 mechanism changes. 

[0014] Core components of a suitable authentica- 
tion framework include: (1) one or more applications or 
resources, such as login, telnetd and ftpd, to which a 
user seeks access; (2) an authentication mechanism 

30 library, such as a PAM Application Programming Inter- 
face (API) or library (the front end); and (3) specific 
authentication modules, such as Kerberos, S/Key and 
UNIX user password (the back end). Figure 1 illustrates 
a relationship between these three components. When 

35 a user seeks access to a particular application or 
resource, the application calls a PAM API, which in turn 
calls one or more authentication modules that are 
required for access to that application. The appropriate 
authentication module(s), as determined by the API, 

40 is/are loaded and presented to the user. If the user 
responds correctly to the authentication test(s) in a 
PAM, access is granted. If the user responds incorrectly, 
access is denied and, optionally, the user is given 
another opportunity to respond correctly to the test(s). 

45 [0015] A resource access system may be divided 
into four areas of management functionality: authentica- 
tion, account, session and password. Authentication 
management authenticates the user and refreshes, 
upgrades or destroys the user credentials. Account 

so management checks user account expiration and 
access hour restrictions, rf any, and determines whether 
a user has access to the resource at that particular date 
and at that particular time. Session management is 
used for accounting and billing purposes and, option- 

55 ally, to determine the amount of time the user has had 
access to the resource in the current session (useful 
where the user's contact time is restricted). Password 
management is used to change the password from time 



3 



EP 1 050 993 A2 



5 

to time. The PAM implements each of these four man- 
agement items as a separate, pluggable module. A par- 
ticular user may not need to be interrogated or 
monitored by all four modules. Alternatively, the user's 
access request may be processed in parallel by two or 
more of the four modules. 

[0016] According to the invention, the authentica- 
tion system may allocate a strength and/or a priority to 
each of several authentication mechanisms associated 
with a particular application or resource, may apply 
these mechanisms in a particular order, and/or may 
require that the user satisfy or pass at least a selected 
number of these tests in order to gain access to the 
application. Each associated authentication test may 
have an assigned weight value Wj (0 < Wj < 1 ; i = 1 , ...,l; 
l>1), which may increase with increasing strength or pri- 
ority for the associated test, and the system may assign 
to the user a "test score" 

i 

TS=£ Wj ATS(i), (1) 

i=1 



where ATS(i) = 1 if the user passes authentication test 
number i and ATS(i) = 0 otherwise. The system option- 
ally denies user access to the application unless the 
user's test score is at least equal to a selected threshold 
test score value TS thr (i.e., TS > TS thr ), even if the user 
passes at least one of the associated authentication 
tests. The threshold test score TS^r may vary with the 
particular application for which access is sought. 
[0017] Figures 2A-2B present a flow chart illustrat- 
ing a procedure that incorporates this approach. In step 
21 , the user seeks access to a particular application or 
resource. In step 23, the system determines which 
authentication mechanisms (i = 1, ... ,1) are associated 
with access to the chosen application. In step 25, the 
system determines the test score threshold associated 
with the chosen resource. In step 27, the system is ini- 
tialized, with i - 1 and TS(0) = 0. In step 29, the system 
presents the user with authentication mechanism 
number i, and the user responds to this test number i in 
step 31. In step 33, the system determines whether the 
user has passed authentication test number i. If the 
answer to the query in step 33 is "yes," the system sets 
ATS(i) = 1 , in step 35, and passes to step 39 (Figure 
2B). If the answer to the query in step 33 is "no,", the 
system sets ATS(i) = 0, in step 37, and passes to step 

39. In step 39 (Figure 2B), the system multiplies ATS(i) 
by a weight Wj assigned to the test number i, adds the 
quantity WjATS(i) to the old sum TS(i-1) to form a new 
sum TS(i), and increments the index i (i -> i+1), in step 

40. In step 41, the system determines whether i satis- 
fies the condition i > 1+1 . If the answer to the query in 
step 41 is "no," the system returns to step 29 and 
repeats steps 29, 31 , 33, 39, 40 and 41 at least once. If 
the answer to the query in step 41 is "yes," the system 



moves to step 43 and compares the sum TS(I) with the 
associated threshold test score TS thr . If TS(I) > TS thr , 
user access to the application is granted, in step 45. If 
TS(I) <TS thr , user access to a default subset of the 
5 application is granted, in step 47, where the default sub- 
set may be the empty set. 

[0018] Alternatively, the system may set a strictly 
monotonic sequence of test score threshold values, 
* TS thr,1. TS thr,2' — TS thr,N with TS^ < TS thr2 < ...< 

10 TS thr,N and N^ 1 . and may allow the user access to a 
selected subset of the full resource, depending upon 
which threshold values the user's test score equals or 
exceeds. As the user's test score TS(I) increases, the 
user is granted access to more and more subsets of the 

is target application. 

[0019] Figures 3A-3B-3C illustrate the procedure 
according to this alternative embodiment. Steps 21-41 
in Figures 3A-3B-3C are performed as in Figures 2A-2B 
to compute the sum TS(I). In step 51 (Figure 3B), the 

20 system provides a monotonic sequence of N threshold 
values (N>2), TS thr , < TS^r 2 < -< TS^^, that will be 
used to determine what access, if any, the user may be 
granted within the application or resource. In step 53, 
the system is initialized by setting a counting index n = 

25 1. In step 55, the system determines whether the sum 
TS(I) satisfies the condition TS(I) > TS^r n . If the answer 
to the question in step 55 is "no", the system determines 
whether n = 1 , in step 57 (Figure 3C). 
[0020] If the answer to the question in step 57 is 

30 "yes", the system grants the user access to a first 
default subset S 0 of the application, in step 59. This first 
default subset can be the empty subset, which effec- 
tively denies the user access to any part of the applica- 
tion. If the answer to the question in step 57 is "no", 

35 corresponding to n > 1, the system grants the user 
access to a selected subset S n .^ of the application. 
[0021] If the answer to the question in step 55 is 
"yes", the system increments the count index n (n -> 
n+1 ), in step 63, and determines whether n satisfies the 

40 condition n > N+1, in step 65. If the answer to the ques- 
tion in step 65 is "no", the system returns to and repeats 
step 55 at least once. If the answer to the question in 
step 65 is "yes", the system grants the user access to 
another default subset S N , which is optionally the entire 

45 application, in step 67. 

[0022] The preceding embodiments may be char- 
acterized as "bottom up" approaches, in which the sys- 
tem allows user access to a default subset of the 
application or resource, which may be the empty set, ini- 

so tially. The system also allows access by the user to 
more and more of the application or resource as the 
user satisfies or passes more and more of the authenti- 
cation tests. 

[0023] In an alternative "top down" approach, illus- 
55 trated in a flow chart in Figures 4A-4B, the user begins 
with potential access to the entire resource or applica- 
tion and loses access to particular subsets of the 
resource as the user fails to satisfy or pass one or more 
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of the authentication tests. In step 71, the user seeks 
access to a resource, or to a subset thereof. In step 73, 
the system provides I authentication mechanisms, num- 
bered i = 1, 2, ... , I (I>1) associated with that applica- 
tion. In step 75, the system is initialized at i = 1 . In step 
77, the user is presented with authentication test 
number i, and the user responds to test number i in step 
79. In step 81, the system determines whether the user 
has passed test number i. 

[0024] If the answer to the query in step 81 is "yes*, 
the system grants the user access to a selected 
resource subset Sj , in step 85 (Figure 4B). The system 
then moves to step 87 and increments the count index i 
(i -» i-t-1). In step 89, the system determines whether the 
count index i satisfies the condition i > 1+1 . If the answer 
to the query in step 89 is "yes", the system moves to 
step 91 and grants the user access to the full resource 
set, or a modified or default version thereof. If the 
answer to the query in step 89 is "no", the system 
returns and repeats steps 77, 79 and 81 at least once. 
[0025] If the answer to the query in step 81 is "no", 
the system grants the user access to a selected default 
subset Sj def of the resource subset S t , in step 83, and 
optionally continues with step 87, where the count index 
i is incremented and tested against 1+1 (Step 89);, The 
default subset S ; def is optionally the empty set. 
[0026] At the end of the procedure(s) shown in Fig- 
ures 4A-4B, if the user has failed to satisfy or pass the 
authentication tests number i = i1, i2, ... , iM, among the 
total number I of authentication tests (0 < M < I; I > 1), 
the system allows the user access to one or more of 
certain default subsets, S n def , S i2def , S jM idefl so that 
the user now has access the union of these default sub- 
sets of the original "whole* resource or application set 
S. Each time the user satisfies or passes an authentica- 
tion test, the subset of the resource to which the user 
has access is unchanged (no loss at this stage). 
[0027] Where multiple users are present, first and 
second users who seek access to different portions of a 
resource are optionally presented with different 
sequences of authentication tests to determine the por- 
tion of the resource to which each user will be granted 
access. For example, the first user may be presented 
with authentication tests number one, two and four for 
access to a first selected portion of the resource; and 
the second user may be presented with authentication 
tests number two, three, four and five for access to a 
second selected portion of the resource. Alternatively, 
where the first and second users pass the same authen- 
tication test (e.g., test number two), the portion of the 
resource to which each is granted access may be differ- 
ent for each user. For example, the first and second 
users may be granted access to different portions of a 
given confidential document affecting national security, 
because these two users have different 'needs to 
know." 

[0028] The resource or application to which a user 
seeks access may change from time to time. For exam- 



ple, a resource may include a collection of documents of 
various levels of classification (e.g., company private 
and confidential, secret and top secret at the federal 
level), and the level of authentication required for 

5 access may be set by the document(s) with the highest 
level of confidentiality. The federal government down- 
grades the classification of selected documents from 
time to time, and the authentication level required may 
be correspondingly reduced as a result of this down- 

w grade, or as a result of removal of one or more docu- 
ments from the resource. Conversely, one or more 
additional documents with a higher classification level 
may be added to the resource, and this upgrade in clas- 
sification may require an increase in authentication level 

75 for access to the resource. 

[0029] In another alternative embodiment, one or 
more authentication levels or tests associated with a 
given resource optionally changes at a given time, pos- 
sibly as a result of change of characterization of the 

20 resource, or of one of more documents or other objects 
that are part of or associated with the resource. This 
change would be implemented at a time that is approxi- 
mately contemporaneous with the change in character- 
ization and would be subject to subsequent changes in 

25 characterization. 

[0030] The preceding embodiments may be imple- 
mented by presenting the user with a sequence of one 
or more authentication tests and requiring the user to 
affirmatively "pass" one or more of these tests, in order 

30 to obtain access to part or all of the resource. 

[0031] Alternatively, the user may be issued a 
smartcard containing cleartext and/or (preferably) 
encrypted responses or "keys" to I authentication tests 
(l>2), where each response may, but need not, corre- 

35 spond to passage of an authentication test. In this 
approach, the user presents his/her smartcard to the 
system, the system reads the card and determines 
which, if any, of the entries on the smartcard correspond 
to passage of an authentication test, and which test. 

40 The smartcard is read by a computer, which tracks 
which authentication tests the smartcard has "passed" 
and thereby determines a corresponding subset of the 
resource (which may the whole resource, a proper sub- 
set of the whole resource, or the empty set) to which the 

45 user has access, based on the user's smartcard score. 
Preferably, the smartcard requires specification of a 
card owner's PIN, which must correspond to the smart- 
card presented, in order to read the smartcard and 
determine its score on one or more authentication tests. 

so This approach requires possession of both the smart- 
card and special knowledge (the PIN) before access to 
(portions of) a resource is granted. 
[0032] The Pluggable Authentication Mechanism 
(PAM), which provides integration of one or more 

55 authentication tests, is compatible with the invention. 
The PAM need not be altered, only enhanced, in order 
to implement the invention. 
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Claims 

1. A method of authorization of user access to a 
selected resource, the method comprising the 
steps of: 
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9. The method of claim 1 , wherein at least one of said 
responses from said user is provided by a smart- 
card that is programmed to provide said user 
response in response to receiving a selected elec- 
5 tronic command. 



providing I user authentication mechanisms, 
numbered i = 1, 2, ...,l (l>1), for authenticating 
a user who seeks access to a resource, where 
the ith authentication mechanism has an asso- 
ciated authentication weight Wj; 
providing a user response for each of the 
authentication mechanisms; 
computing a sum TS of all the weights w s for 
which the user satisfies authentication test 
number i; and 

when the sum TS is not at least equal to a 
threshold value TS thr1 , granting the user 
access to a selected default subset of the 
resource. 

2. The method of claim 1 , further comprising the step 
of selecting said default subset to be an empty set. 

3. The method of claim 1 , further comprising the step 
of granting said user access to said resource when 
said sum TS is at least equal to said threshold value 

TS thr.1- 

4. The method of claim 1 , further comprising the step 
of granting said user access to a second selected 
subset of said resource when said sum TS is at 
least equal to said threshold value TS thr j and is not 
at least equal to a second selected threshold value 
T S t hr,2> where TSt hr1 < TS thr2 and said first 
selected subset is contained in said second 
selected subset. 

5. The method of claim 1 , further comprising the step 
of associating a numerical cryptographic strength 
with each of said authentication mechanisms. 

6. The method of claim 5, further comprising the step 
of selecting a sequence of said associated weights 
Wj that increases monotonically with an increase of 
said cryptographic strength of said associated 
authentication mechanism i, for at least one value 
ofi(i = 1,...,l). 

7. The method of claim 1 , further comprising the step 
of causing a change in at least one of said test and 
said weight associated with at least one of said 
authentication mechanisms at a selected time. 

8. The method of claim 7, further comprising the step 
of choosing said selected time to be approximately 
equal to a selected time at which said resource 
changes. 



10. A method of authorization of user access to a 
selected resource, the method comprising the 
steps of: 

10 

providing I user authentication mechanisms, 
numbered i = 1, 2, ...,l (l>t), for authenticating 
a user who seeks access to a resource, where 
the ith authentication mechanism has an asso- 

15 ciated authentication weight Wj; 

providing a user response for each of the 
authentication mechanisms; 
computing a sum TS of all the weights w ( for 
which the user satisfies the ith authentication 

20 test; 

providing a sequence of threshold values 
TS thr,j G = 1 . 2,'..., J; J>1)) satisfying TS thr1 
<TSt hrj2 <... < TSt hr ,j; and 
when the sum TS satisfies the condition TS thr j 

25 < TS < TS thr j +1 for some integer j in the range 

1 < j < J-1, allowing the user access to a 
selected subset of the resource corresponding 
to the value TSt hr j. 

30 11. Themethodof claim 10, further comprising the step 
of denying said user access to said resource when 
said sum TS is less than said threshold value 

TS thr,1- 

35 12. Themethodof claim 10, further comprising the step 
of granting said user access to a selected default 
subset of said resource when said sum TS is less 
than said threshold value TS^ j . 

40 13. The method of claim 1 0, further comprising the step 
of associating a numerical cryptographic strength 
with each of said authentication mechanisms. 



14. The method of claim 13, further comprising the step 
45 of selecting a sequence of said associated weights 

Wj that increases monotonically with an increase of 
said cryptographic strength of said associated 
authentication mechanism i, for at least one value 
of i(i = 1 I). 

50 

15. The method of claim 10, further comprising the step 
of causing a change in at least one of said test and 
said weight associated with at least one of said 
authentication mechanisms at a selected time. 

55 

16. The method of claim 15, further comprising the step 
of choosing said selected time to be approximately 
equal to a selected time at which said selected 
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resource changes. 

17. The method of claim 10, wherein at least one of 
said responses from said user is provided by a 
smartcard that is programmed to provide said user 
response in response to receiving a selected elec- 
tronic command. 

18. A system for authorization of user access to a 
selected resource, the system comprising a compu- 
ter that is programmed: 

to provide I user authentication mechanisms, 
numbered i = 1 , 2, ...J (l>1 ) for authenticating a 
user who seeks access to a resource, where 
the "rth authentication mechanism has an asso- 
ciated authentication weight Wj; 
to receive or provide a user response for each 
of the authentication mechanisms; 
to compute a sum TS of all the weights Wj for 
which the user satisfies the it authentication 
test; and 

when the sum TS is not at least equal to a 
threshold value TS thr1 , to grant the user 
access to a selected default subset of the 
resource. 

19. The system of claim 18, wherein said computer is 
further programmed to select said defautt subset to 
be an empty set 

20. The system of claim 18, wherein said computer is 
further programmed to grant said user access to 
said resource when said sum TS is at least equal to 
said threshold value TSf hr t1 . 

21. The system of claim 20, wherein said computer is 
further programmed to grant said user access to a 
second selected subset of said resource when said 
sum TS is at least equal to said threshold value 
TS thr j and is not at least equal to a second 
selected threshold value TStf^, where TS thr1 < 
TSthr 2 and said first selected subset is contained in 
said second selected subset. 

22. The system of claim 18, wherein said computer is 
further programmed to associate a numerical cryp- 
tographic strength with each of said authentication 
mechanisms. 

23. The system of claim 22, wherein said computer is 
further programmed to select a sequence of said 
associated weights w t that increases monotonically 
with an increase of said cryptographic strength of 
said associated authentication mechanism i, for at 
least one value of i (i = 1 , ... , I). 

24. The system of claim 18, wherein said computer is 



further programmed to cause a change in at least 
one of said test and said weight associated with at 
least one of said authentication mechanisms at a 
selected time. 

5 

25. The system of claim 24, wherein said computer is 
further programmed to choose said selected time to 
be approximately equal to a selected time at which 
said resource changes. 

10 

26. The system of claim 18, further comprising a smart- 
card, associated with said user, that communicates 
with said computer and that is programmed to pro- 
vide said user response in response to receiving at 

is least one selected electronic command. 

27. A system for authorization of user access to a 
selected resource, the system comprising a compu- 
ter that is programmed: 

20 

to provide I user authentication mechanisms, 
numbered i = 1,2, ...,l (l>1 ) for authenticating a 
user who seeks access to a resource, where 
the ith authentication mechanism has an asso- 

25 ciated authentication weight w^ 

to receive or provide a user response for each 
of the authentication mechanisms; 
to compute a sum TS of all the weights w s for 
which the user satisfies the ith authentication 

30 test; 

providing a sequence of threshold values 
T S t hr.j 0=1.2, ...,J; J>1)) satisfying TS thr1 < 

T Sthr ( 2<-< TS thr,j; and 

when the sum TS satisfies the condition TS^ j 
35 < TS ^Sthrj+i for some integer j in the range 1 

< j < J-i , to allow the user access to a selected 
subset of the resource corresponding to the 
value TS, hrj . 

40 28. The system of claim 27, wherein said computer is 
further programmed to deny said user access to 
said resource when said sum TS is less than said 
threshold value TS^j. 

45 29. The system of claim 27, wherein said computer is 
further programmed to grant said user access to a 
default subset of said resource when said sum TS 
is less than said threshold value TS( hr v 

so 30. The system of claim 27, wherein said computer is 
further programmed to associating a numerical 
cryptographic strength with each of said authenti- 
cation mechanisms. 

55 31. The system of claim 30, wherein said computer is 
further programmed to select a sequence of said 
associated weights Wj that increases monotonically 
with an increase of said cryptographic strength of 
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said associated authentication mechanism i, for* at 
least one value of i (i = 1 , ... , I). 

32. The system of claim 27, wherein said computer is 
further programmed to cause a change in at least 5 
one of said test and said weight associated with at 
least one of said authentication mechanisms at a 
selected time. 
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TS thr,2> where TS thr1 < TS thr2 and said first 
selected subset is contained in said second 
selected subset. 

38. The article of manufacture of claim 35, further com- 
prising computer readable program code means for 
associating a numerical cryptographic strength with 
each of said authentication mechanisms. 



33. The system of claim 32, wherein said computer is 
further programmed to choosing said selected time 
to be approximately equal to a selected time at 
which said resource changes. 

34. The system of claim 27, further comprising a smart- 
card, associated with said user, that communicates 
with said computer and that is programmed to pro- 
vide said user response in response to receiving at 
least one selected electronic command. 

35. An article of manufacture comprising: 

a computer usable medium having computer 
readable program code means embodied in 
the medium for authorizing access to a 
resource, the computer readable program code 
means in the article of manufacture compris- 
ing: 

computer readable program code means for 
providing I user authentication mechanisms, 
numbered i = 1, 2, (l>1 ) for authenticating a 
user who seeks access to a resource, where 
the ith authentication mechanism has an asso- 
ciated authentication weight Wj; 
computer readable program code means for 
receiving or providing a user response for each 
of the authentication mechanisms; 
computer readable program code means for 
computing a sum TS of all the weights w s for 
which the user satisfies authentication test 
number i; and 

when the sum TS is not at least equal to a 
selected threshold value TS^n, computer 
readable program code means for denying the 
user access to the resource. 

36. The article of manufacture of claim 35, further com- 
prising computer readable program code means for 
granting said user access to said resource when 
said sum TS is at least equal to said threshold value 

TS thr,1- 

37. The article of manufacture of claim 35, further com- 
prising computer readable program code means for 
granting said user access to a second selected 
subset of said resource when said sum TS is at 
least equal to said threshold value TS thr j and is not 
at least equal to a second selected threshold value 



io 39. The article of manufacture of claim 38, further com- 
prising computer readable program code means for 
selecting a sequence of said associated weights Wj 
that increases monotonically with an increase of 
said cryptographic strength of said associated 

15 authentication mechanism i, for at least one value 

of i(i= 1, ... , I). 

40. The article of manufacture of claim 35, further com- 
prising computer readable program code means for 

20 causing a change in at least one of said test and 
said weight associated with at least one of said 
authentication mechanisms at a selected time. 

41. The article of manufacture of claim 40, further com- 
25 prising computer readable program code means for 

choosing said selected time to be approximately 
equal to a selected time at which said selected 
resource changes. 

30 42. The article of manufacture of claim 35, further com- 
prising computer readable program means, con- 
tained in a smartcard, associated with said user, 
that communicates with said computer and that is 
programmed to provide said user response in 

35 response to receiving at least one selected elec- 
tronic command. 
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